[python3/f20] Fix JSON reading arbitrary process memory (rhbz#1112293)

Matej Stuchlik mstuchli at fedoraproject.org
Mon Jun 30 08:36:29 UTC 2014 

commit 0b48f428a32b22b4eb018f947f4e1adb617beaa6
Author: Matej Stuchlik <mstuchli at redhat.com>
Date:   Mon Jun 30 08:50:35 2014 +0200

    Fix JSON reading arbitrary process memory (rhbz#1112293)

 00194-json-add-boundary-check.patch |   37 +++++++++++++++++++++++++++++++++++
 python3.spec                        |   13 +++++++++++-
 2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/00194-json-add-boundary-check.patch b/00194-json-add-boundary-check.patch
new file mode 100644
index 0000000..dcdf348
--- /dev/null
+++ b/00194-json-add-boundary-check.patch
@@ -0,0 +1,37 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1397442496 14400
+# Node ID 4f15bd1ab28fe25c2e381ab05b11b60ce42fe613
+# Parent  b49d990aaa9d708a8c3174f6d51b8e069040ffe4# Parent  8130b8c066062bc589d337aebd3da4b156ee7f45
+merge 3.2
+
+diff --git a/Lib/test/test_json/test_decode.py b/Lib/test/test_json/test_decode.py
+--- a/Lib/test/json_tests/test_decode.py
++++ b/Lib/test/json_tests/test_decode.py
+@@ -70,5 +70,9 @@ class TestDecode:
+         msg = 'escape'
+         self.assertRaisesRegex(ValueError, msg, self.loads, s)
+ 
++    def test_negative_index(self):
++        d = self.json.JSONDecoder()
++        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
++
+ class TestPyDecode(TestDecode, PyTest): pass
+ class TestCDecode(TestDecode, CTest): pass
+diff --git a/Modules/_json.c b/Modules/_json.c
+--- a/Modules/_json.c
++++ b/Modules/_json.c
+@@ -975,7 +975,10 @@ scan_once_unicode(PyScannerObject *s, Py
+     kind = PyUnicode_KIND(pystr);
+     length = PyUnicode_GET_LENGTH(pystr);
+ 
+-    if (idx >= length) {
++    if (idx < 0)
++        /* Compatibility with Python version. */
++        idx += length;
++    if (idx < 0 || idx >= length) {
+         PyErr_SetNone(PyExc_StopIteration);
+         return NULL;
+     }
+
diff --git a/python3.spec b/python3.spec
index 50ee0d4..87146f4 100644
--- a/python3.spec
+++ b/python3.spec
@@ -126,7 +126,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: Python
 Group: Development/Languages
 
@@ -649,6 +649,12 @@ Patch192: 00192-buffer-overflow.patch
 # http://bugs.python.org/issue20778
 Patch193: 00193-skip-correct-num-of-pycfile-bytes-in-modulefinder.patch
 
+# 00194
+#
+# JSON module could read arbitrary process memory
+# rhbz#1112293
+Patch194: 00194-json-add-boundary-check.patch
+
 
 # (New patches go here ^^^)
 #
@@ -915,6 +921,7 @@ done
 %patch190 -p1
 %patch192 -p1
 %patch193 -p1
+%patch194 -p1
 
 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@@ -1773,6 +1780,10 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
+* Mon Jun 30 2014 Matej Stuchlik <mstuchli at redhat.com> - 3.3.2-16
+- JSON module could read arbitrary process memory
+Resolves: rhbz#1112293
+
 * Fri May 30 2014 Miro HronĨok <mhroncok at redhat.com> - 3.3.2-15
 - In config script, use uname -m to write the arch

More information about the scm-commits mailing list